Inject reserved pipeline policy stages
What does this MR do and why?
This MR adds support for reserved stages.
A policy can declare its jobs in the following stages:
-
.pipeline-policy-pre
- runs before.pre
-
.pipeline-policy-post
- runs after.post
These stages cannot be used by project CI configuration.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Stages cannot be used by project CI configuration:
Stages don't show up in the available stages list:
If used from a policy, they are injected into the pipeline:
How to set up and validate locally
- In rails console enable the feature flag
Feature.enable(:pipeline_execution_policy_type)
- Create a group
-
- In the group, create a
Compliance project
- In the group, create a
- In the
Compliance project
, create a filereserved-stages.yml
:build job: stage: .pipeline-policy-pre script: - sleep 3 && echo "Policy building..." slow policy test job: stage: test script: - sleep 15 && echo "Slow test completed." policy job after build: stage: .pipeline-policy-post needs: - "build job" script: - echo "Should start right after 'build job' finishes." policy deploy job: stage: .pipeline-policy-post script: - echo "Deploying..."
- In the group, create a new project
SPP project
. - In the project, create a file
.gitlab/security-policies/policy.yml
with the following content:--- pipeline_execution_policy: - name: Reserved stages policy description: '' enabled: true pipeline_config_strategy: inject_ci content: include: - project: <group-path>/compliance-project file: reserved-stages.yml ref: main
- Create another project in the group:
Test
- In the project
Test
, go to Secure -> Policies, edit the policy project and selectSPP project
- In the project
Test
, create.gitlab-ci.yml
:stages: - build - test - deploy build job: stage: build script: - echo "Compiling the code..." - echo "Compile complete." project test job: stage: test script: - echo "Running unit tests... This will take about 60 seconds." - echo "Code coverage is 90%" deploy job: stage: deploy environment: production script: - echo "Deploying application..." - echo "Application successfully deployed."
- Go to Pipelines and run pipeline
- Verify that stages with their jobs from the policy are injected into the pipeline in the expected order
- Try to edit the project's
.gitlab-ci.yml
and try to assign a job to one of the restricted stages. Verify that this is not possible.
Related to #452384 (closed)
Edited by Martin Čavoj